Commit 52721a2c authored by Paul Cammish's avatar Paul Cammish
Browse files

Updated Apache Templates

parent 9849d4bb
Define PHPMYADMIN_FORCE_SSL
# Relax PHP Restrictions
<Directory /usr/share/phpmyadmin >
php_admin_value open_basedir /usr/share/phpmyadmin:/usr/share/php:/etc/phpmyadmin
</Directory>
<IfModule rewrite_module>
# Force phpMyAdmin to use HTTPS.
RewriteCond "%{HTTPS}" "off"
RewriteCond "%{HTTP_HOST}" =""
RewriteRule "^/?(phpmyadmin.*)$" "https://<%= hostname %>/$1" [R=301,L]
RewriteCond "%{HTTPS}" "off"
RewriteRule "^/?(phpmyadmin.*)$" "https://%{HTTP_HOST}/$1" [R=301,L]
</IfModule rewrite_module>
####
###
##
#
# This file is automatically generated from the template located at
# /etc/sympl/apache.d/non_ssl.template.erb.
#
# Feel free to make changes to this file. However, If changes are made,
# then this file will NOT be updated automatically when the template changes.
#
# Feel free to make changes to this file, however this file
# will NOT be updated automatically when the template changes.
##
###
# Vim Defaults: //vim: ts=2:tw=78: et:
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
#
# Put our server name
#
# Set the ServerName to this sites domain name.
ServerName <%= domain %>
#
# This is the testing alias.
#
# Add the testing alias and any others.
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory people are redirected to if their site is
# empty.
#
# This provides a helpful error message when the root of the
# site has no content or is inaccessible.
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
......@@ -41,91 +27,70 @@
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
ErrorDocument 404 /__sympl/index.html
</LocationMatch>
#
# Allow users to override settings via .htaccess
# and enables PHP in htdocs/.
#
<Directory <%= htdocs_directory %>/ >
# Allow users to override settings via .htaccess
<Directory "/srv">
AllowOverride all
Require all granted
</Directory>
% if php_security_disabled?
#
# Set unique tmp/ and sessions/ directories
#
# Set a unique php_tmp/ and php_sessions/ directory for the site.
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
# WARNING: Further PHP restrictions are disabled.
% else
#
# Restricts PHP from leaving the public directory.
# Also sets unique tmp and sessions directories.
#
# Restrict PHP from leaving the public directory.
# and set a unique php_tmp/ and php_sessions/ directories.
php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# Prevent executing anything from a WordPress uploads directory,
# And block access to any PHP files in that directory.
#
# and block access to any PHP files in that directory.
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
php_admin_flag engine off
</LocationMatch>
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
deny from all
</LocationMatch>
% end
#
# The document root
#
# Set the DocumentRoot
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
# This ensures Let's Encrypt can validate domain ownership.
<Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
ErrorLog "<%= domain.log_dir %>/error.log"
CustomLog "<%= domain.log_dir %>/access.log" combined
# Write logs directly.
ErrorLog "<%= domain.log_dir %>/ssl_error.log"
CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
</VirtualHost>
# Vim Defaults: //vim: ts=2:tw=78: et:
####
###
##
#
# This file is automatically generated from the template located at
# /etc/sympl/apache.d/ssl.template.erb.
#
# Feel free to make changes to this file, however it will NOT be
# automatically updated if the template, or SSL configuration changes.
#
# Feel free to make changes to this file, however this file
# will NOT be updated automatically when the template changes.
##
###
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
#
# Put our server name
#
# Set the ServerName to this sites domain name.
ServerName <%= domain %>
#
# This is the testing alias.
#
# Add the testing alias and any others.
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
# Enable HTTP/2
Protocols h2 http/1.1
<IfModule ssl_module>
# Enable SSL
SSLEngine On
SSLEngine On
# The certificate, key, and intermediate bundle (if needed)
<%= ssl_config %>
#
# The certificate, key, and intermediate bundle (if needed)
#
<%= ssl_config %>
# Intermediate configuration, taken from
# https://ssl-config.mozilla.org/#server=apache&server-version=2.4.25&config=intermediate&openssl-version=1.0.1k
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
#
# Intermediate configuration, taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
#
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
#
# OCSP Stapling
#
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
% if hsts_enabled?
<IfModule headers_module>
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
</IfModule>
<IfModule headers_module>
# Enable HSTS (mod_headers is required, 15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
</IfModule>
% end
</IfModule>
#
# Enabling PHP for phpMyAdmin
#
<Directory /usr/share/phpmyadmin >
php_admin_value open_basedir /usr/share/phpmyadmin:/usr/share/php:/etc/phpmyadmin:<%=domain_directory%>/php_tmp/
# This provides a helpful error message when the root of the
# site has no content or is inaccessible.
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# Allow users to override settings via .htaccess
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
ErrorDocument 404 /__sympl/index.html
</LocationMatch>
# Allow users to override settings via .htaccess
<Directory <%=domain_directory%>/public/ >
AllowOverride all
Require all granted
</Directory>
% if php_security_disabled?
#
# Sets a unique php_tmp/ and php_sessions/ directory for the site.
#
# Set a unique php_tmp/ and php_sessions/ directory for the site.
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# WARNING: Further PHP restrictions are disabled.
#
% else
#
# Restricts PHP from leaving the public directory.
# Also sets a unique php_tmp/ and php_sessions/ directories.
#
# Restrict PHP from leaving the public directory.
# and set a unique php_tmp/ and php_sessions/ directories.
php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
# Prevent executing anything from a WordPress uploads directory,
# and block access to any PHP files in that directory.
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
php_admin_flag engine off
</LocationMatch>
# And block access to any PHP files in that directory.
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
deny from all
</LocationMatch>
% end
#
# The document root
#
# Set the DocumentRoot
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
# This ensures Let's Encrypt can validate domain ownership.
<Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
# Write logs directly.
ErrorLog "<%= domain.log_dir %>/ssl_error.log"
CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
</VirtualHost>
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
#
# Put our server name
#
# Set the ServerName to this sites domain name.
ServerName <%= domain %>
#
# This is the testing alias.
#
# Add the testing alias and any others.
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
% if mandatory_ssl?
# ssl-only is enabled - sending all traffic to HTTPS
<IfModule rewrite_module>
RewriteEngine On
# Use our server name if HTTP_HOST is empty.
RewriteCond "%{HTTP_HOST}" =""
RewriteRule ^/?(.*) https://<%= domain %>/$1 [R=301,L]
# Otherwise redirect to the same hostname on HTTPS
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
% else
# ssl-only is not enabled - server traffic as normal
# This provides a helpful error message when the root of the
# site has no content or is inaccessible.
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
ErrorDocument 404 /__sympl/index.html
</LocationMatch>
% if mandatory_ssl?
#
# ssl-only is enabled - sending all traffic to https://
#
<IfModule rewrite_module>
#
# This redirects all accesses to the HTTPS version of the site.
#
RewriteEngine On
#
# Use our server name if HTTP_HOST is empty.
#
RewriteCond "%{HTTP_HOST}" =""
RewriteRule ^/?(.*) https://<%= domain %>/$1 [R=301,L]
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
% else
#
# ssl-only is not enabled - serving traffic as normal on http://
#
<IfModule rewrite_module>
# Enforcing HTTPS for /phpmyadmin
RewriteEngine On
RewriteCond "%{HTTPS}" "off"
RewriteCond "%{HTTP_HOST}" =""
RewriteRule "^/?(phpmyadmin.*)$" "https://<%= domain %>/$1" [R=301,L]
RewriteCond "%{HTTPS}" "off"
RewriteRule "^/?(phpmyadmin.*)$" "https://%{HTTP_HOST}/$1" [R=301,L]
</IfModule>
#
# Allow users to override settings via .htaccess
# and enables PHP in htdocs/.
#
<Directory <%= htdocs_directory %>/ >
# Allow users to override settings via .htaccess
<Directory "/srv">
AllowOverride all
Require all granted
</Directory>
% if php_security_disabled?
#
# Set unique tmp/ and sessions/ directories
#
# Set a unique php_tmp/ and php_sessions/ directory for the site.
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# WARNING: Further PHP restrictions are disabled.
#
% else
#
# Restricts PHP from leaving the public directory.
# Also sets a unique PHP tmp/ and sessions/ directories.
#
# Restrict PHP from leaving the public directory.
# and set a unique php_tmp/ and php_sessions/ directories.
php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# Prevent executing anything from a WordPress uploads directory,
# And block access to any PHP files in that directory.
#
# and block access to any PHP files in that directory.
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
php_admin_flag engine off
</LocationMatch>
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
deny from all
</LocationMatch>
% end
#
# The document root
#
DocumentRoot <%= htdocs_directory %>/
# Set the DocumentRoot
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default
#
# Disable indexes by default on the top-level.
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
# This ensures Let's Encrypt can validate domain ownership.
<Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
% end
# Write logs directly.
ErrorLog "<%= domain.log_dir %>/error.log"
CustomLog "<%= domain.log_dir %>/access.log" combined
% end
</VirtualHost>
# Vim Defaults: //vim: ts=2:tw=78: et:
###
##
#
# This file is automatically generated from the template located at
# /etc/sympl/apache.d/zz-mass-hosting.ssl.template.erb.
#
# Feel free to make changes to this file. If changes are made, then this file
# will not be updated automatically when the template changes.
#
# Feel free to make changes to this file, however this file
# will NOT be updated automatically when the template changes.
##
###
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
#
# The ServerName has been explicitly set here to the machine's
# hostname, because that is what it defaults to anyway. See below
# where we set the ServerAlias.
#
# hostname, because that is what it defaults to anyway.
ServerName <%= hostname %>
# We need a wildcard server alias, so Apache knows to check
# where when names don't match elsewhere.
ServerAlias *
# Disable the "single" name for this server.
UseCanonicalName Off
# Enable HTTP/2
Protocols h2 http/1.1
<IfModule ssl_module>
# Enable SSL
SSLEngine On
#
# The certificate, key, and intermediate bundle (if needed)
#
<%= ssl_config %>
#
# Intermediate configuration, taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
#
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
# Intermediate configuration, taken from
# https://ssl-config.mozilla.org/#server=apache&server-version=2.4.25&config=intermediate&openssl-version=1.0.1k
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1